Skip to content

Archives

Spamming my HTTP referrer logs, pt. 2

I’ve been getting a very wierd attack on my sites recently, including this blog, the SpamAssassin websites, and http://jmason.org/ , whereby some luser is sending lots of requests, using made-up URLs in the referral field. Initially, I thought it was some kind of underpowered retaliation for SpamAssassin, but if that’s the case, they need to bone up a bit more on how these things work ;)

Alternatively, it could be an attempt to gain Googlejuice, by getting links from public referrer logs (my ones are).

Up ’til about a month ago, it was all porn sites. Recently, though, it’s been a selection of real domains that sound like they were put together by combining dictionary words or something.

All the attempts have come from IP address 216.127.68.58, owned by Everyone’s Internet, Inc. in Houston, TX:

216.127.68.58 – – [31/Mar/2003:00:01:53 +0100] “GET / HTTP/1.1” 200 72143 “http://www.aircheckfactory.com” “User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)”

Here’s the domains in question:

  • AIRCHECKFACTORY.COM
  • ALTOTECHNOLOGY.COM
  • BAIDYANATHINDIA.COM
  • NXTCENTURY.COM
  • TIMEART.NET
  • WOTEVA.COM

Perhaps they’re recent lapsed domains which the spammer has picked up. Otherwise, what’s the connection between Baidyanath (a manufacturer of Ayurvedic products in India, thx Suresh) and ‘woteva’ (which sounds like ‘whatever’ in a UK english accent)?

I’ve whois’d them all, and they all seem to share two things: the name ‘Robert Woodley’ (or its initials), and the number (772) 594-2421. Area code 772 is — guess where — Florida. They should just cut to the chase and put ‘The Spammer State’ on their numberplates.

The pages on those sites are automatically-generated using what looks like USENET postings and google image search results, with a link to Commission Junction.

None of the names are in ROKSO, it seems. Do they ring a bell with anyone reading?